You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

infected with trojan posing as Chrome - not sure if clean

System had virus that posed as Chrome. Seems to be gone but need expert opinion. Descriptions and actions taken as follows:

First symptom was periodic momentary window flash. Investigate to see what processes running and found several processes with same random character image name .exe file. Killing them just brought back more. Description for these processes was Google Chrome.Thinking it was Chrome-related, Chrome was de-installed, but this had no effect, making it clear it was masking itself as Chrome.

Searched for location of this file and found in AppData\LocalLow\EmieBrowserModeList. There were directories with random names in AppData\Local, AppData\LocalLow, especially under directories AppData\LocalLow\EmieBrowserModeList, EmieUserList, EmieSiteList. Significant CPU usage by these processes and a significant amount of disk writes to files in one of these directories.

Attempts to kill processes simply resulted in more processes. Attempts to remove random named folders resulted in more folders recreated. Started system in safe mode and removed the random and Emie* directories, but the Emie* directories were recreated on normal boot, and now the .exe file had moved to AppData\LocalLow\Canon Easy-WebPrint EX2.

Renamed the .exe file to .xxx and eventually the number of these processes dropped to zero. Created a .txt file with a few characters and named to same name with .exe. After normal reboot, no extraneous processes, and no writing the to files in Emie* directories.

Reconnect network and run Norton Full Scan. Found a few things but believe these were old and unrelated. Run Norton Power Eraser with rootkit reboot and it found and removed what appeared to have been the cause (a .ddl in AppData\LocalLow\Apple Computer). After normal reboot, no processes. Removed again the Emie* directories and all random named directories, including the .exe file. After normal reboot, still no processes and no new random named directories/files.

Norton full scan now clean, Norton Power Eraser now clean, and Malwarebytes 2.0.4.1028 scan is clean.Seems OK but want to confirm with those who know. The Emie* directories appear to be part of IE11, but this is a home computer not using Enterprise Mode so not sure if these directories are normal, or there is still something lurking. These directories have only a container.dat file, which does not appear to be open to any processes, and are 0 bytes in size. Thus I can delete them but they are recreated on normal reboot.

So, should I still be concerned and do further checking, and if so what would be recommended?

Thanks much for any guidance. frst.txt output below. addition.txt and DDS.txt/attach.txt attached.

Name: AntiLog32Description: AntiLog32Class Guid: {8ECC055D-047F-11D1-A537-0000F8753ED1}Manufacturer:Service: AntiLog32Problem: : This device is not present, is not working properly, or does not have all its drivers installed. (Code 24)Resolution: The device is installed incorrectly. The problem could be a hardware failure, or a new driver might be needed.Devices stay in this state if they have been prepared for removal.After you remove the device, this error disappears.Remove the device, and this error should be resolved.

System errors:=============Error: (02/01/2015 07:11:20 PM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The Google Update Service (gupdate) service failed to start due to the following error:%%2

Error: (02/01/2015 07:07:41 PM) (Source: Service Control Manager) (EventID: 7030) (User: )Description: The NPEService service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.

Error: (02/01/2015 00:59:45 AM) (Source: BTHUSB) (EventID: 17) (User: )Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (01/31/2015 07:20:21 PM) (Source: BTHUSB) (EventID: 17) (User: )Description: The local Bluetooth adapter has failed in an undetermined manner and will not be used. The driver has been unloaded.

Error: (01/28/2015 06:25:49 PM) (Source: Service Control Manager) (EventID: 7000) (User: )Description: The Google Update Service (gupdate) service failed to start due to the following error:%%2

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:

First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.

Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.

Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.

When you post your reply, use the button instead.

In the upper right hand corner of the topic you will see the button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.

If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.

When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.

I would like to remind you to make no further changes to your computer unless I direct you to do so.

Now let's get started

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Your computer looks pretty good. I want to remove some orphan entries and run a couple of programs.

Please run the below for me.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------

Press the Windows key + r on your keyboard at the same time. Type in notepad and press Enter

Please copy and paste the contents of the below code box into the open notepad and save it to your desktop(<<<Important) as fixlist.txt

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)

You are correct, I can't tell you. I am going to leave you with some information to assist in minimizing the chances of a repeat episode.

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and you may delete any programs or logs on your computer as a result of our efforts. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder. For everything else you simply delete the log files or desktop icons.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.